Alon,
I've started working on (1) and (2). Attached is the updated
cryptoapi.c. Would you prefer a patch when changes involve a single file? Can
you tell me what you think (is this moving in the right direction)? Initially,
I've only moved the LoadLibrary code into its own function, but it's still
called from the same place. Should I go further and move this initialization
code somewhere else? If so, can you suggest where I should look to hook in the
initialization?
As for (2), I've created a function that unloads the library and clears
out the variables... but it's not called from anywhere. I guess if I know
where the initialization will go, then I can find a good place from which to
call the cleanup code.
As for (3), where is the SSL role defined? Or, alternatively, what is
the procedure when cryptoapi isn't used to verify the certificate is in the
correct role?
I hope to contribute further. This is my first time looking at the
openvpn source, so please bear with me (or let me know it's not worth your
time).
Regards,
Jason
-----Original Message-----
From: Alon Bar-Lev [mailto:alon.bar...@gmail.com]
Sent: Thursday, 25 September, 2008 01:10
To: Jason R. Coombs
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: [PATCH
v3] Use CryptoAPI CA store)
Hello,
I cleaned it up a little but still things should be done:
1. Add initialize code and load all entry points for this module at
one place, single LoadLibrary etc...
2. Add cleanup code to unload all static module resources.
3. Check SSL role by OpenSSL configuration (client or server), see
TODO signature.
4. Cleanup warnings.
Available at [1], I did not check it as I don't have active Windows
configuration now.
Can you please complete it?
Alon.
[1] http://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21-ms-chk-2/openvpn
On 9/24/08, Jason R. Coombs <jar...@jaraco.com> wrote:
> I'd really like to see this feature in a future build.
>
> Is there anything more that needs to be done to integrate this into 2.1?
> I can help with code cleanup/refactoring. I don't have a development
> environment set up, though, so I'd be working blind.
>
> Cheers,
> Jason
>
> On 9/23/07, Faidon Liambotis Wrote:
> Alon Bar-Lev wrote:
> > On 9/22/07, Faidon Liambotis <paravoid@xxxxxxxxxx> wrote:
> >> Alon Bar-Lev wrote:
> >>> So you need to use CertVerifyCertificateChainPolicy() with
> CERT_CHAIN_POLICY_SSL
> >> I'm no Microsoft developer (adn I don't want to be to be honest) but
> if
> >> I understand it right, it's better to call CertGetCertificateChain()
> as
> >> I am doing.
> >
> > You need to use both, one for create the chain and the other to verify
> > that it meets with system CTL for SSL.
> Seems that you are right. Below you will find -v4 of the patch that does
> that.
>
> Also, my previous version didn't actually check for revocations,
> contrary to what I documented.
> I added CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT to the dwFlags of
> CertGetCertificateChain.
>
> Let me know what you think.
>
> Thanks,
> Faidon
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
cryptoapi.c
Description: cryptoapi.c
